We were discussing TLS, as would be used to protect assets such as the FreePBX admin GUI, UCP and provisioning. SIP UDP is protected differently, with two iptables rules: one that accepts packets containing the domain name, and one that accepts ‘established’ and ‘related’ packets. See
Now, I admit that the TLS case would be vulnerable to an Apache bug that allowed an unauthenticated attacker to take over a dummy site that always returned a 403, or an iptables bug that allowed an attacker to bypass an arbitrary rule. However, such bugs would not be limited to PBXes and would affect all linux servers, perhaps 100 million machines, and would be quickly publicized and patched.